1. Field of the Invention
This invention relates generally to a system and method for securely downloading firmware to a vehicle electronic control unit (ECU) and, more particularly, to a system and method for securely downloading firmware to a vehicle ECU that includes verifying that the firmware is authentic by validating the firmware using two separate trusted sources.
2. Discussion of the Related Art
Many modern vehicles include electronic control units (ECUs), or controllers, which control the operation of vehicle systems, such as the powertrain, climate control system, infotainment system, body systems, chassis systems, and others. Such controllers require special purpose-designed software, i.e., application code and calibrations, in order to perform the control functions. With the increasing number and complexity of these controllers, and the growing threat posed by developers of malicious software, it is more important than ever to authenticate the source and content of binary files which are loaded on automotive controllers. The consequences of using software which is not properly validated, or worse, maliciously-designed, in a vehicle controller include unintended behavior of the vehicle or its systems, loss of anti-theft features on the vehicle, potential tampering with components such as the odometer, and loss of other vehicle features and functions.
One know digital coding technique is referred to as asymmetric key cryptography that uses digital signatures for authenticating files that are programmed into controllers. As is understood by those skilled in the art, asymmetric key cryptography uses a pair of mathematically-related keys, known as a private key and a public key, to encrypt and decrypt a message. To create a digital signature, a signer uses his private key, which is known only to himself, to encrypt a message. The digital signature can later be decrypted by another party using the public key, which is paired to the signer's private key.
Flashing is a well known process for downloading software, calibration files and other applications into the memory of a vehicle ECU or other programmable device. A bootloader is an embedded software program loaded in the memory of the ECU that provides an interface between the ECU and computer device that is downloading the software. The bootloader flashes the operating software and calibration files into the ECU memory, where the operating software provides the software that causes the various vehicle functions to operate in conjunction with each other and the calibration files are the various vehicle parameters, such as pressures, temperatures, etc., for the particular vehicle systems. The bootloader typically employs asymmetric key cryptography and stores a public key that must be used to decode a digital signature transferred by the uploading computer before downloading to or reflashing of the ECU is allowed to prevent malicious software or calibration files from being downloaded into the ECU.
Known digital coding techniques, such as asymmetric key cryptography that uses digital signatures referred to above, are very good at preventing potential hackers from flashing unauthentic software into the ECU. However, alternate forms of malicious attacks to firmware to be downloaded to a vehicle ECU can come from within an organization that has knowledge of the public and private keys, where the potential hacker somehow gains access to the public and private keys without having to decrypt them.